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Abstract 

Given a set of interacting components with non-deterministic variable update and given 
safety requirements, the goal of priority synthesis is to restrict, by means of priorities, the 
set of possible interactions in such a way as to guarantee the given safety conditions for 
all possible runs. In distributed priority syntliesis we are interested in obtaining local sets 
of priorities, which are deployed in terms of local component controllers sharing intended 
next moves between components in local neighborhoods only. These possible communication 
paths between local controllers are specified by means of a communication architecture. 
We formally define the problem of distributed priority synthesis in terms of a multi-player 
safety game between players for (angelically) selecting the next transition of the components 
and an environment for (demonically) updating uncontrollable variables; this problem is NP- 
complete. We propose several optimizations including a solution-space exploration based on 
a diagnosis method using a nested extension of the usual attractor computation in games 
together with a reduction to corresponding SAT problems. When diagnosis fails, the method 
proposes potential candidates to guide the exploration. These optimized algorithms for solving 
distributed priority synthesis problems have been integrated into our VissBIP framework. An 
experimental validation of this implementation is performed using a range of case studies 
including scheduling in multicore processors and modular robotics. 

I. Introduction 

Given a set of interacting components with non-deterministic variable update and given a 
safety requirement on the overall system, the goal of priority synthesis is to restrict, by means 
of priorities on interactions, the set of possible interactions in such a way as to guarantee 
the given safety conditions. Since many well-known scheduling strategies can be encoded 
by means of priorities on interactions L12J , priority synthesis is closely related to solving 
scheduling problems. 

Consider, for example, the multiprocessor scheduling scenario depicted in Figure [T] as 
motivated by a 3D image processing application. Each of the four processors needs to allocate 
two out of four memory banks for processing; in this model processor A (in state Start) may 
allocate memory bank 2 (in state free) by synchronizing on the transition with label A2, 
given that CPU A is ready to process - that is varA, which is non-deterministically toggled by 
the environment through idleA transitions, holds. Processor A may only allocate its "nearest" 
memory banks 1, 2 and 3. Without any further restrictions on the control this multiprocessor 
system may deadlock. 

Such control restrictions are expressed in terms of priorities between possible interactions. 
For instance, a priority Bl < Al effectively disables interaction Bl whenever Al is enabled. 
A solution for the priority synthesis problem, based on game-theoretic notions and a translation 
to a coiTesponding satisfiability problem, has been described previously ID, lH. This solution 
yields centralized controllers, whereas here we are interested in obtaining decentralized controls 




Figure 1. Multicore scheduling in VissBIP (9|- 



for each of the components. Coordination between these local controllers is restricted to 
communicating intended next moves along predefined communication paths. 

The possible communication paths among components are defined in terms of a commu- 
nication architecture which consists of ordered pairs of components. For example, executing 
interaction A2 requires bidirectional communications along (A,M2) and (M2 , A) . A master- 
slave communication architecture for broadcasting the next transition of processor A to all other 
processors includes pairs (A, B) , (A, C) , and (A, D) . In this architecture (Table |l] index 1), 
the local controller for each of the recipient CPUs uses the communicated next transition of 
CPU A, say Al, and disables every enabled local transition with a lower priority than Al. 
Alternative architectures in Figure [l] for the multiprocessor scenario include a two-master pro- 
tocol where processors A and D notify processors B and C, and a symmetric architecture where 
each of the processors notifies its "nearest" neighbor. Notice that communication architectures 
are not necessarily transitive. 

Altogether, the result of distributed priority synthesis are certain sets of local priorities 
for each component which are compatible with a given communication architecture. More 
precisely, if component C may notify component Z? in a given communication architecture, 
then local priorities for the controller of component D are of the form s < t, where s is a 
possible transition of D and t a possible transition of C. Possible solutions for three different 
communication architectures for the multiprocessor scenario are listed in Table|l] Notice that the 
solution for the symmetric architectures (index 3) uses a slight refinement in that components 
do not only publish the intended next transition but also the source state of this transition; 
for example, the notation Al . M2 expresses that processor A is at location M2 and intends to 
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/* A broadcast to B. C, D 

*/ 

(CPU-A, CPU-B) 
(CPU-A, CPU-C) 
(CPU-A, CPU-D) 


unrestricted 


(Bl < Al) 


(CI < Al) 


{D2 < A2) 






(B2 < A2) 
(Bl < idleA) 
(B2 < idleA) 


(C3 < A3) 
(CI < idleA) 
(C3 < idleA) 


(D3 < A3) 
{D2 < idleA) 
(D3 < idleA:) 


2 


/* A, D send to B, C */ 
(CPU-A, CPU-B) 
(CPU-A, CPU-C) 
(CPU-D, CPU-B) 
(CPU-D, CPU-C) 


unrestricted 


(Bl < Al) 
{Bl < idleA) 
(B2 < A2) 
(B2 < idleA) 
(B4 < 134) 
(B4 < idleD) 
(idleB < Al) 
(idleB < A2) 
(idleB < A3) 
{idleB < D4) 
{idleB < idleA) 


(CI < Al) 
(CI < idleA) 
(C3 < A3) 
(C3 < idleA) 
(C4 < D4) 
(C4 < idleD) 
(idleC < Al) 
(idleC < A2) 
{idleC < A3) 
{idleC < D4) 
{idleC < idleA) 


unrestricted 


3 


/* local communication */ 
(CPU-A, CPU-B) 
(CPU-A, CPU-C) 
(CPU-B, CPU-A) 
(CPU-B, CPU-D) 
(CPU-C, CPU-A) 
(CPU-C. CPU-D) (CPU- 
D, CPU-C) (CPU-D, 
CPU-B) 


{Al.St < B1.M2) 
(Al.St < B1.M4) 
(A2.St < 32. Ml) 
{A2.St < B2.M4) 
(A3. St < C3.M1) 
(A3. St < C3.M4) 


{Bl.St < A1.M2) 
(Bl.St < A1.M3) 
(B2.St < A2.M1) 
(B2.St < A2.M3) 
(B4.St < D4.M2) 
(B4.St < D4.M3) 


{CI. St < A1.M2) 
(CI. St < A1.M3) 
(C3.St < A3. Ml) 
(C3.St < A3.M2) 
(C4.St < D4.M2) 
(C4.St < D4.M3) 


{D2 < B2.M1) 
(D2 < B2.M4) 
(D3.St < C3.M1) 
(D3.St < C3.M4) 
{D4.St < B4.M1) 
{D4.St < B4.M2) 



Table I 

Communication structures and corresponding distributed controllers for multiprocessor 

SCENARIO IN FIGURe[T] NOTICE THAT ST ABBREVIATES START. 



trigger transition Al. Obviously, this refined notion of priorities can always be expressed in a 
transformed model with new transitions, say A1M2, A1M3, AlStart, for encoding the source 
states M2, M3, Start of Al. 

Given a solution to the distributed priority synthesis problem, a local controller for each 
component may work in each cycle by, first, sending its intended next move and receiving next 
moves from other components according to the given communication architecture, and, second, 
disabling any enabled local transitions with a lower priority among the received intended next 
moves; algorithms for priority deployment [41, |2| may be reused. 

The rest of the paper is structured as follows. Section |ll] contains background information 
on a simplified variant of the Behavior-Interaction-Priority (BIP) modeling framework HI. 
The corresponding priority synthesis problem corresponds to synthesizing a state-less winning 
strategy in a two-player safety game, where the control player (angelically) selects the next 
transition of the components and the environment player (demonically) updates uncontrollable 
variables. In Section III we introduce the notion of deployable communication architectures 
and formally state the distributed priority synthesis problem. Whereas the general distributed 
controller synthesis problem is undecidable 1191 we show that distributed priority synthesis 
is NP-complete. Section IV contains a solution to the distributed synthesis problem, which is 
guaranteed to be deployable on a given communication architecture. This algorithm is a gener- 
alization of the solution to the priority synthesis problem in Q, jSj. It is a complete algorithm 
and integrates essential optimizations based on symbolic game encodings including visibility 
constraints, followed by a nested attractor computation, and lastly, solving a corresponding 
(Boolean) satisfiability problem by extracting fix candidates while considering architectural 
constraints. Section |V] describes some details and optimization of our implementation, which 
is validated in Section [Vl] against a set of selected case studies including scheduling in 
multicore processors and modular robotics. Section VII contains related work and we conclude 
in Section IVml 



II. Background 

Our notion of interacting components is heavily influenced by the Behavior-Interaction- 
Priority (BIP) framework |r| which consists of a set of automata (extended with data) that 
synchronize on joint labels; it is designed to model systems with combinations of synchronous 
and asynchronous composition. For simplicity, however, we omit many syntactic features of 
BIP such as hierarchies of interactions and we restrict ourselves to Boolean data types only. 
Furthermore, uncontrollability is restricted to non-deterministic update of variables, and data 
transfer among joint interaction among components is also omitted. 

Let E be a nonempty alphabet of interactions. A component Ci of the form (ii, 14, S^, T^, 
e°) is a transition system extended with data, where Li is a nonempty, finite set of control 
locations, C E is a nonempty subset of interaction labels used in Ci, and is a finite 
set of (local) variables of Boolean domain B = {True, False}. The set EiVi) consists of 
all evaluations e : V^i — > B over the variables Vi, and B{Vi) denotes the set of propositional 
formulas over variables in Vi, variable evaluations are extended to propositional formulas 
in the obvious way. Ti is the set of transitions of the form {I, g, a, f,l'), where 1,1' e Li 
respectively are the source and target locations, the guard g E B{Vi) is a Boolean formula 
over the variables Vi, a E Ei is an interaction label (specifying the event triggering the 
transition), and f Vi ^ (2" \ 0) is the update relation mapping every variable to a set of 
allowed Boolean values. Finally, £ Li is the initial location and G £{Vi) is the initial 
evaluation of the variables. 

A system S of interacting components is of the form (C = where m > 1, 

all the Ci's are components, the set of priorities V C 2^^^ is irreflexive and transitive lfT2l . 
The notation ci -< is usually used instead of {u\, a-i) eV, and we say that (J2 has higher 
priority than ai. A configuration (or state) c of a system S is of the form (Zi, ei, . . . , Irm em) 
with li E Li and ei E £ {Vi) for all i E {I, . . . , m}. The initial configuration cq of S is of the 
form el, ... , ^°„, e^J. An interaction g E is (globally) enabled in a configuration c if, 
first, joint participation holds for a, that is, for ah u £ Ej with i E {!,..., m}, there exists a 
transition {li,gi,a, fi,l[) E Ti with ei{gi) = True, and, second, there is no other interaction 
of higher priority for which joint participation holds. Ec denotes the set of (globally) enabled 
interactions in a configuration c. For a E Sc, a configuration c' of the form {l'i,e\, . . . , l'^, e^) 
is a a-successor of c, denoted by c — ^ c', if, for alH in {1, . . . , m}, 

• if (7 ^ Ei, then l'^ = li and = e^; 

• if (7 G Ei and (for some) transition of the form (li, gi, a, fi, I'i) E Ti with ei{gi) = True, 
e'i = ei[vi/di] with di E f{vi). 

A run is of the form cq, . . . , with cq the initial configuration and Cj ^^S Cj+i for all 
j : < j < k.ln this case, Ck is reachable, and TZs denote the set of all reachable configurations 
from Cq. Notice that such a sequence of configurations can be viewed as an execution of a 
two-player game played alternatively between the control Ctrl and the environment Env. In 
every position, player Ctrl selects one of the enabled interactions and Env non-deterministically 
chooses new values for the variables before moving to the next position. The game is won 
by Env if Ctrl is unable to select an enabled interaction, i.e., the system is deadlocked, or if 
Env is able to drive the run into a bad configuration from some given set Crisk ^ Cg. More 
formally, the system is deadlocked in configuration c if there is no c' E TZs and no a G Ec 
such that c c' , and the set of deadlocked states is denoted by Cdead- A configuration c is 
safe if c ^ Cdead U Criski and a system is safe if no reachable configuration is unsafe. 

Definition 1 (Priority Synthesis): Given a system S = (C, E, V) together with a set Crisk ^ 
Cs of risk configurations, V+ C E x E is a solution to the priority synthesis problem if the 
extended system (C, E, 7^ U 7^+) is safe, and the defined relation of U is also irreflexive 



and transitive. 



For the product graph induced by system S, let Q be the set of vertices and S be the set of 
transitions. In a single player game, where Env is restricted to deterministic updates, finding a 
solution to the priority synthesis problem is NP-complete in the size of (|(5| + |(5| + |I]|) ifTOl . 

III. Distributed Execution 

We introduce the notion of (deployable) communication architecture for defining distributed 
execution for a system S of interacting components. Intuitively, a communication architecture 
specifies which components exchange information about their next intended move. 

Definition 2: A communication architecture Com for a system S of interacting components 
is a set of ordered pairs of components of the form (Ci, Cj) for Ci, Cj G C. In this case we 
say that Ci informs Cj and we use the notation Ci ~^ Cj. Such a communication architecture 
Com is deployable if the following conditions hold for all cr, t e S and i,j € {1, . . . , m}: 

1) (Self-transmission) Vi G {!,..., m}, Ci Ci G Com. 

2) (Group transmission) If cr G H Sj then Cj Ci, Ci Cj G Com. 

3) (Existing priority transmission) If cr ^ t G P, a G and t G Si then Ci Cj G 
Com. 

Therefore, components that possibly participate in a joint interaction exchange information 
about next intended moves (group transmission), and components with a high priority inter- 
action T need to inform all components with an interaction of lower priority than r (existing 
priority transmission). We make the following assumption. 

Assumption 1 (Compatibility Assumption): It is assumed that a system is deployable on the 
given communication architecture. 

Next we define distributed notions of enabled interactions and behaviors, where all the 
necessary information is communicated along the defined communication architecture. 

Definition 3: Given a communication architecture Com for a system S, an interaction 
a is visible by Cj if C,; Cj for all i such that cr G S^. Then for configuration c = 
{h, ei, . . . , Im, e„i), an interaction cr G S is distributively-enabled (at c) if (i G {1, . . . , m}): 

1) (Joint participation: distributed version) for all i with a G S^, cr is visible by Ci, there 
exists {li,gi,(J,_,_) G Ti with 6^(3^) True. 

2) (No higher priorities enabled: distributed version) for all t G S with ^ r, r is visible 
by Ci, and there is a j G {!,... ,m} such that t G Sj and either {lj,gj,T,_,_) ^ Tj 
or for every {Ij, gj,T, _, _) G Tj, ej{gj) = False. 

A configuration c' = {I'l, e\, . . . , l'^,e'^) is a. distributed a-successor of c if u is distributively- 
enabled and c' is a cr-successor of c. Distributed runs are runs of system S under communication 
architecture Com. 

Any move from a configuration to a successor configuration in the distributed semantics 
can be understood as a multi-player game with (|C| + 1) players between controllers Ctrlj 
for each component and the external environment Env. In contrast to the two-player game 
for the global semantics, Ctrlj now is only informed on the intended next moves of the 
components in the visible region as defined by the communication architecture, and the control 
players play against the environment player. First, based on the visibility, the control players 
agree (cmp. Assumption |2] below) on an interaction a G Sc, and, second, the environment 
chooses a cr-enabled transition for each component Ci with cr G E^. Now the successor state 



is obtained by local updates to the local configurations for each component and variables are 
non-deterministically toggled by the environment. 

Proposition 1: Consider a system S = (C, S,?^) under a deployable communication ar- 
chitecture Com. (a) If a E Y, is globally enabled at configuration c, then a is distributively- 
enabled at c. (b) The set of distributively-enabled interactions at configuration c equals Sc. (c)lf 
configuration c has no distributively-enabled interaction, it has no globally enabled interaction. 

Proof: (a) An interaction ct G S is globally enabled in a configuration c if, first, joint 
participation holds for a, that is, for all i G {l,...,m} and a £ there is a transition 
{li,gi,a, fij'j^) e Ti with ei{gi) — True, and, second, there is no other interaction of higher 
priority for which joint participation holds. The definition of a deployable communication 
architecture enables us to extend the a-th (a — 1.2) condition to the a-th condition in 
distributed-enableness. The extension is by an explicit guarantee that cr is visible by Q, which 
can be derived from three conditions of a deployable communication architecture. 

(b) We prove that S^jst.c = ^c- 

• As Com is a deployable communication architecture, we first prove that every distribu- 
tively enabled interaction a is also globally enabled. Assume not, i.e., a is distributively- 
enabled but not globally enabled. This only appears (in the second condition) when another 
interaction t where a < t G V, such that r is enabled, but t is not visible by a component 
Ci where cr G S^. This is impossible, as the definition of deployable architecture ensures 
that if (T -< T e P, cr g Si, and r S Sj then Cj Ci G Com, i.e., r is visible by Ci. 
Thus Edist.c C Ec- 

• From (a), we have C l^dist.c- Thus Y.dist.c = ^c- 

(c) This is the rephrasing of (a) from ^ -> i? to — > -^A. ■ 

From the above proposition (part c) we can conclude that if configuration c has no distributively- 
enabled interaction, then c is deadlocked (c G Cdead)- However we are looking for an explicit 
guarantee for the claim that the system at configuration c is never deadlocked whenever there 
exists one distributively-enabled interaction in c. For our running example of memory access 
in Figure [T[ for example, consider the case when both C3 and D3 are enabled (both for 
allocating access to MemoryS); thus, one needs explicit assumption that the race condition 
will be resolved. E.g., the run time will let MemoryS resolve the race condition and execute one 
of them, rather than halting permanently and disabling the progress. Such an assumption can be 
fulfilled by variants of distributed consensus algorithms such as majority voting (MJRTY) Q. 

Assumption 2 (Runtime Assumption): For a configuration c with jSd > 0, the distributed 
controllers Ctrl^ agree on a distributively-enabled interaction ct G Sc for execution. 

With the above assumption, we then define , given a system S = (C, under a com- 

munication architecture Com, the set of deadlock states of S in distributed execution to 
be Cdist.dead — {c} whcrc no interaction is distributively-enabled at c. We immediately 
derive Cdist.dead = Cdead, as the left inclusion {Cdist.dead C Cdead) is the consequence 
of Proposition [T] and the right inclusion is trivially true. With such an equality, given a 
risk configuration Crisk and global deadlock states Cdead, we say that system 5* under the 
distributed semantics is distributively-safe if there is no distributed run cq, . . . ,Cfc such that 
Cfe G Cdead U Crisk', a systcm that is not safe is called distributively-unsafe . Finally, we have 
collected all the ingredients for defining the problem of distributed priority synthesis. 

Definition 4: Given a system S = (C, SjT') together with a deployable communication 
architecture Com, the set of risk configurations Crisk Q Cg, a set of priorities Vd+ is a 
solution to the distributed priority synthesis problem if the following holds: 



Algorithm 1: DPS: An algorithm for distributed priority synthesis (outline) 



input : Level index i, system *S — (C — (Ci, . . . , Cm), S,7-'), communication architecture Corn, vai'iable set Vs, 

current priority-variable assignment set asgn, set of deadlock states Cdead and risk states Crisk 
output: (CONFLICT/DEADLOCK-FREE, new variable assignment) 
begin 

Create V-^ s.t. for all positive assignment p — True in asgn, p ^ 

1 let Vtran ■= V U V + 

2 do 

if Cr ^ T G Vtran A T ^ a' G Vtran thCU Ptr„„ := Ptran U {(T ^ ct'} 

until the size ofVtran does not change 

3 let newasgn := 0, S+ := ^ a' e V+j U {<j' \<t < a' £ 'P+} 
for a ^ T in S+ X S+ do 

if cr ^ T G Vtran tlicu uewasgti :— newasgn U asSign( fT ^ r , True) 
I else newasgn :— newasgn U asSign( CT ^ r , False) 

4 if sati$fy_arch_con$traint{'Ptran , Com) = False V satisfyJrreflexivityiVtran) = False then 

5 L return (CONFLICT, newasgn) 

6 let K := compute_reachable(C, i;,7't,,a„) 
if Tin (Cdead UCw.fc) = then 

return (DEADLOCK-FREE, newasgn) 
else 

7 Diagnosis-based fixing process can be inserted here */ 

8 let a ^ T := choose_free_variable( Vj] , netuasgn) 

9 if 17 ^ r ^ null then 

let asgnl :— newasgn U asSign( (T -< r . True) 
let result :— DPS(i 4-1,5, Com, Vs , asgnl, Cdead, Crisk) 
if (result. IstElement = DEADLOCK-FREE) then 
^ return result 

else 

let asgnO :— newasgn U asSign( fT r . False) 
[_ return DPS(i 4-1,5, Com, V^, asgnO, Cdead, Crisk) 

else return (CONFLICT, asgn) 



1) V U Td+ is transitive and irreflexive. 

2) (C, E, 7^ U 75^+) is distributively-safe. 

3) For alH, j e {1, . . . , m] s.t. a £ E,,, t e S^, if ^ r e 'P(J'Pd+ then Q Q G Com. 

The 3rd condition states that newly introduced priorities are indeed deployable. Notice that 
for system S with a deployable communication architecture Com, and any risk configurations 
Crisk and global deadlock states Cdead, a solution to the distributed priority synthesis problem 
is distributively-safe iff it is (globally) safe. Moreover, for a fully connected communication 
architecture, the problem of distributed priority synthesis reduces to (global) priority synthesis. 

Theorem 1: Given system S = (C, SjT') under a deployable communication architecture 
Com, the problem of distributed priority synthesis is NP-complete to \Q\ + \5\ + |E|, where 
IQI and \5\ are the size of vertices and transitions in the product graph induced by S, provided 
that < \Q\ + \5\ + \Y.\. 

Proof: (Sketch) First select a set of priorities (including V) and check if they satisfy 
transitivity, iiTeflexivity, architectural constraints. Then check, in polynomial time, if the system 
under this set of priorities can reach deadlock states; hardness follows from hardness of global 
priority synthesis. A complete proof is in the appendix. ■ 



IV. Solving Distributed Priority Synthesis 

It is not difficult to derive from the NP-completeness result (Section III i a DPLL-like search 
algorithm (DPS, see Algorithm[T]for outline), where each possible priority ^ r is represented 



as a Boolean variable a ^ t . Given S, let — \ a < t | ct, r € E} be the set of variables 
representing each possible priority. 

This algorithm is invoked with the empty assignment asgn = 0. Lines 1, 2 describe the 
transitive closure of the current set of priorities V+. Then line 3 updates the assignment with 
newasgn, and line 4 checks if the set of derived priorities satisfies architectural constraints 
(using satisfy_arch_constraint), and is irreflexive (using satisfyjrreflexivity). If not, then it 
returns "conflict" in line 5. Otherwise, line 6 checks if the current set of priorities is sufficient 
to avoid deadlock using reachability analysis compute_reachable. If successful, the current 
set of priorities is returned; otherwise, an unassigned variable g -< r in V^, is chosen (using 
choose_free_variable), and, recursively, all possible assignments are considered (line 8, 9). 
This simple algorithm is complete as long as variables in Vs are evaluated in a fixed order 

Notice, however, that checking whether a risk state is reachable is expensive. As an opti- 
mization we therefore extend the basic search algorithm above with a diagnosis-based fixing 
process. In particular, whenever the system is unsafe under the current set of priorities, the 
algorithm diagnoses the reason for unsafely and introduces additional priorities for preventing 
immediate entry into states leading to unsafe states. If it is possible for the current scenario to 
be fixed, the algorithm immediately stops and returns the fix. Otherwise, the algorithm selects 
a set of priorities (from reasoning the inability of fix) and uses them to guide the introduction 
of new priorities in DPS. The diagnosis-based fixing process (which is inserted in line 7 of 
Algorithm [T} proceeds in two steps. 

Step 1: Deriving fix candidates.: Game solving is used to derive potential fix candidates 
represented as a set of priorities. In the distributed case, we need to encode visibility constraints: 
they specify for each interaction <j, the set of other interactions Ecr C S visible to the 
components executing a (Section IV-A| l. With visibility constraints, our game solving process 



results into a nested attractor computation (Section IV-B i. 

Step 2: Fault-fixing.: We then create from fix candidates one feasible fix via solving a 
corresponding SAT problem, which encodes (1) properties of priorities and (2) architectural 



restrictions (Section IV-C i. If this propositional formula is unsatisfiable, then an unsatisfiable 



core is used to extract potentially useful candidate priorities. 

A. Game Construction 

Symbolic encodings of interacting components form the basis of reachability checks, the 
diagnoses process, and the algorithm for priority fixing (here we use V for Vtran)- In particular, 
symbolic encodings of system S — (C, E,?') use the following propositional variables: 

• pO indicates whether it is the controller's or the environment's turn. 

• A = {oi, . . . , apiogj |sn } for binary encoding enc((T) of the chosen interaction a 
(which is agreed by distributed controllers for execution, see Assumption |2|. 

• Uo-esi^} variables representing interactions to encode visibility. Notice that the 
same letter is used for an interaction and its corresponding encoding variable. 

• Ul^i where Yi = {yn, . . . , yik} for the binary encoding enc{l) of locations / e Li. 

• \SiLi Udsv encoding of the component variables. 

Primed variables are used for encoding successor configurations and transition relations. Vis- 
ibility constraints Vis^ G {True, False} denote the visibility of interaction t over another 
interaction a. It is computed statically: such a constraint Vis^ holds iff for Cj E C where 
T G Si and G Ej, Ci Cj G Com. 

Algorithms |2] and [3] return symbolic transitions Tctri and Tenv for the control players 
Ul^i ^trli and the player Env respectively, together with the creation of a symbolic rep- 
resentation Cdead for the deadlock states of the system. Line 1 of algorithm |2] computes when 
an interaction a is enabled. Line 2 summarizes the conditions for deadlock, where none of 



Algorithm 2: Generate controllable transitions and the set of deadlock states 

input : System S = (C = (Ci, . . . , Cm), S, V), visibility constraint Visji where CTi, (T2 £ S 

output: Transition predicate Tctri for control and the set of deadlock states Cdead 

begin 

let predicate Tatri = False, Cdead ~ True 
for cr S do 
^ let predicate P„ := True 

for cr S E do 

for i = {1, . . . , m} do 

^ if (T 6 Ei tlien P„ := P„ A \/ ^i,g,a,f,i')eTi ienc{l) A g) 

Cdead '■— Cdead ^ ~*^ct 

for (Ti G E do 

let predicate Ta^ := pO A -ipO' A Pa^ A enc'(o-i) A it[ 
for (T2 G E, (T2 ^ o"i do 

if V/s;;2 = r^ue then T^j := T<,i A (P<,2 -H- ctj) 
else := A ^cri, 
for ? — {1, . . . , m} do 

[ r„i := A A„gy. v^v' A A„6Vj 

Tctri := Titrl V T^j 

for <Ti (T2 G P do 

Tctri := Tctri A {{cr[ A (72) -.enc'(cri)) 

Tl2 = Ttrl A (O-J A (Tj) 
Tctri := Ttrl \ Tl2 

Ti2,/«a, := (3^; : T12) A (-.o-J) 
Tfr! := Titrl V Ti2,fix 
return Tctri, Cdead 



Algorithm 3: Generate uncontrollable updates 

input : System 5 = (C = (Ci, . . . , C„), E, V) 
output: Transition predicate Tenv for environment 
begin 

let predicate Tenv '•= False 
for cr G E do 

let predicate T„ := -ipO A pO' 

for i = {1, . . . , m} do 
if <T e Ej then 

1 [ := T,, AV(i,g,„,j.,i')eTi(«"c(;)AgAenc'(i')Aenc(CT)Aenc'(cr)AA„eVi '-'e€/(«)''' «) 

for (Ti G E, (Ti 7^ cr do 

2 ^ T„ := T„ A crj = False 

for i — {1, . . . , m} do 

3 [ if cr ^ Ei then T<, := T„ A Ayey^ y ^ y' A AvsVt v <^ v' 

\_ Tenv ■■= Tenv V 

return Tenv 



the interaction is enabled. The computed deadlock condition can be reused throughout the 
subsequent synthesis process, as introducing a set of priorities never introduces new deadlocks. 
In line 3, Ten constructs the actual transition, where the conjunction with enc'((Ti) indicates 
that CTi is the chosen interaction for execution. 7^^ is also conjoined with a'-^ as an indication 
that C7i is enabled (and it can see itself). Line 4 and 5 record the visibility constraint. If 
interaction (T2 is visible by ai (Vis^J — True), then by conjoining it with (Pa2 ^ cr'2), 
explicitly records the set of visible and enabled (but not chosen) interactions. If interaction fT2 
is not visible by cti, then in encoding conjunct with -10-2. In this case 1T2 is treated as if it is 
not enabled: if cti is a bad interaction leading to the attractor of deadlock states, we cannot 
select 0-2 as a potential escape (i.e., we cannot create fix-candidate ax -< 1T2), as a\ -< is not 



supported by the visibility constraints derived by the architecture. Line 6 keeps all variables 
and locations to be the same in the pre- and postcondition, as the actual update is done by the 
environment. For each priority ai -< <J2, lines from 8 to 12 perform transformations on the 
set of transitions where both cti and (T2 are enabled. Line 8 prunes out transitions from Tctri 
where both cti and a2 are enabled but ci is chosen for execution. Then, lines 9 to 12 ensure 
that for remaining transitions T12, they shall change the view as if cri is not enabled (line 11 
performs the fix). Tctri is updated by removing T12 and adding Ti2jix- 

Proposition 2: Consider configuration s, where interaction a is (enabled and) chosen for 
execution. Given r e S at s such that the encoding r' = True in Algorithm |2] then Vis^ = 
True and interaction r is also enabled at s. 

Proof: Assume not, i.e., there exists an interaction r with t' = True in Algorithm [2] but 
either Vis^ = False or r is not enabled. 

• If y\S^ ~ False, then line 5 explicitly sets r' to False; if r = cr then Assumption 1 
ensures that Vis^ = True. Both lead to contradiction. 

• If T is not enabled, based on the definition, there are two reasons. 

• There exists another interaction k ^ a such that k is enabled at s and priority t < k 
exists. In this case, then line 9 to 12 ensures that r' = False. Contradiction. 

• T is not enabled as it does not satisfy the precondition. For this line 4 ensures that if 
r is not enabled, r' is set to False. Contradiction. 

■ 

Proposition 3: Cdead as returned by algorithm |2] encodes the set of deadlock states of the 
input system S. 

Proof: We first recap that using priorities never introduces new deadlocks, as (1) cr ^ t 
only blocks a when r is enabled, and (2) for V, its defined relation is transitive and irreflexive 
(so we never have cases like cti -< (T2 ^ ^ . . . -< ui, which creates (Ti -< cti, violating 
irreflexive rules). 

• The set of deadlock states for distributed execution, based on Assumption 1 and 2, 
amounts to the set of global deadlock states, where each interaction is not enabled. Based 
on the definition, situations where an interaction a is not enabled can also occur when 
its guard condition holds, but there exists another interaction r such that (1) the guard- 
condition of T holds on all components, and (2) a ^ t exists. 

• If r is not blocked by another interaction, then r is enabled for execution, so such a 
case never constitutes new deadlock states. 

• Otherwise, we can continue the chain process and find an interaction k (this chain 
never repeats back to r, based on above descriptions on properties of priorities) whose 
guard-condition holds and is not blocked. Then no new deadlock is introduced. 

Therefore, deadlock only appears in the case where for each interaction, its guard-condition 
does not hold. This condition is computed by the loop over each interaction with line 2. 

■ 

In Algorithm |3] the environment updates the configuration using interaction a based on the 
indicator enc(o'). Its freedom of choice in variable updates is listed in line 1 (i.e., Ueg/(t,)u' o 
e). Line 2 explicitly sets all interactions cti not cosen for execution to be false, and line 3 sets 
all components not participated in a to be stuttered. 

Finally, Figure |2] exemplifies an encoding for control (represented by a circle); the current 
system configuration is assumed to be ci, and it is assumed that both ai and a2 can be 
executed, but V\sll = ^'^^2 = False. 



Algorithm 4: Nested-risk-attractor computation 



input : Initial state cq, risk states Crisk^ deadlock states Cdead, set of reaciiable states TZsHcq}) and symbolic transitions 

Tc-trl^ Tenv from Algoritiim |2| and [3| 
output: (1) Nested risk attractor NestSttreTi^p (C^-isfc U Cdead) 'ind (2) 7/ C Tctrl^ wiiich is tiie set of control transitions 

starting outside NestAttrem, (Cjjcad U Crisk) but entering NestAttrcm, (C^isfc U Cdsad)- 



begin 



// Create architectural non-visibility predicate 
let Esc := False 
for cTf S do 

let Esc„. := enc'(cri) 

for o-j e S, CTj ^ (Ti do EsCc^ := EsCct^ A -ict^. 
Esc := Esc V (ESC^. A a'-) 

I / Part A: Prune unreachable transitions and bad states 

TetW := TetW AKs({co}), Te,.^ := T^trl AKs({co}) 
Cd„d := Cdead A 7?,s({co}), Cwsfc := Cri^k A Ks({co}) 

// Part B: Solve nested-safety game 

let NeStedAtttpre := Cdcad V Crist, NeStCClAttrpos ( := False 

while True do 

let Attrprc := NestedAttrpre, Attrpost := False 

// B.l Compute risk attractor 
while True do 

// add environment configurations 
Attrpost.eiit, := 3H' : (Te„„ A SUBS((3H' : Attrp^^), 2, H')) 

// add system configurations 

let PointTo := 3H' : (Tctri A SUBS((3B' : Atttp^e), H')) 
let Escape := 3H' : {Tatri A SUBS((3H' : ^Attrpre), B, H')) 
Attrpost.ctrl := PointTo \ Escap 



:= Attrpre V Attrpost_e„„ V Attrpogj ^tri 



Atttp 

if Attrpre Atttpost then break 
else Attrpr, := Attr„oat 



/ / Union the result 
// Break when the image saturates 



// B.2 Generate transitions with source in -lAttrp 
PointTo := Tct7-i A SUBS((3H' : Atttp^e), H')) 
OutsideAttr := ^Atttp^e A (3H' : Tctri) 
T := PointTo A OutsideAttr 

// B.3 Add the source vertex of B.2 to NestedAttrp, 

interaction for escape 

newBadStates := 3E;' : (T a Esc) 
NestedAttrpost := Attrp^c v newBadStates 

// B.4 Condition for breaking the loop 
if NestedAttrpre NestedAttrpoat then break 
else NestedAttrprc := NestedAttrpost 



// Part C: extract T/ 

PointToNested := Tctri A SUBS((3H' : NestedAttrprc), S, H')) 
OutsideNestedAttr := ^NestedAttrp^e A (3H' : Tctri) 
Tf ■■= PointToNested A OutsideNestedAttr 

return NestAttrc„i, (Cdeod u Crisk) := NestedAttrpre , Tf 



and destination in Atttp 



if it can not see another 



// Break when the image saturates 



B. Fixing Algorithm: Game Solving with Nested Attractor Computation 

The first step of fixing is to compute the nested-risk-attractor from the set of bad states 
Crisk U Cdead- Let Vdri (Tctri) and Venv (Tenv) be the Set of control and environment states 
(transitions) in the encoded game. Let risk-attractor AttfenviX) := UfceN 3ttrg„j,(X), where 

attre„„(X) -.^xulve I vTe„t, n X 7^ 0} u {i; e Vm I ^ vTcm Q X}, 

i.e., dX\Xcnv{X) extends state sets X by all those states from which either environment can 
move to X within one step or control cannot prevent to move within the next step. (vTenv 
denotes the set of environment successors of v, and vTctri denotes the set of control successors 



encoding: {state = cl) A {state' = cl) A enc'((j2) A ^cr[ A CTj 
Cl 



(^2 







encoding: {state = cl) A {state' = cl) A enc'((Ji) A crj A -'(T2 




Figure 2. Intermediate nested computation: scenario wlien System S is in configuration ci, whicli is outside tlie 
attractor but V\sZ^ = y\sZl = False. 



of V.) Then Attrenv{Crisk U Cdead) := {JkeN ^^^'^enviCnsk U Cdead) Contains all nodes from 
which environment can force any play to visit the set Crisk U Cdead- 

Nevertheless, nodes outside the risk-attractor are not necessarily safe due to visibility con- 
straints. Figure [2] illustrates such a concept. Configuration ci is a control location, and it 
is outside the attractor: although it has an edge ai which points to the risk-attractor, it has 
another edge <T2, which does not lead to the attractor We call positions like ci as error 
points. Admittedly, applying priority cti -< <J2 at ci is sufficient to avoid entering the attractor 
However, as Vis^J = False, then for components who try to execute ci, they are unaware 
of the enableness of a2- So <Ji can be executed freely. Therefore, we should add ci explicitly 
to the (already saturated) attractor, and recompute the attractor due to the inclusion of new 
vertices. This leads to an extended computation of the risk-attractor (i.e., nested-risk- attractor). 

Definition 5: The nested-risk-attractor NestAttre„i, (C^isfc ^ Cdead) is the smallest superset 
of kttrenv{Crisk ^ Cdead) such that the following holds. 

1) For state c ^ V\es\Mx env{Crisk ^ Cdead), where these exists a (bad-entering) transition 
t G Tctri with source c and target c' G NestAttre„^(Cris/c U Cdead)'- 

• (Good control state shall have one escape) there exists another transition t' G Tctri 
such that its source is c but its destination c" ^ NestAttrgm, (C^isfe U Cdead)- 

• (Bad-entering transition shall have another visible candidate) for every bad-entering 
transition t of c, in the encoding let a be the chosen interaction for execution (enc' (cr) = 
True). Then there exists another interaction r such that, in the encoding, r' = True. 

2) (Add if environment can enter) If w G Venv, ™d vTenv H N6S\Attf env{Crisk UC^ead) 

then V G NeSmUenviCnsk^ Cdead) - 

Algorithm |4] uses a nested fixpoint for computing a symbolic representation of a nested 
risk attractor The notation 33 (3S') is used to represent existential quantification over all 
umprimed (primed) variables used in the system encoding. Moreover, we use the operator 
SUBS(X, S, S'), as available in many BDD packages, for variable swap (substitution) from 
unprimed to primed variables in X. For preparation (line 1 to 3), we first create a predicate, 
which explicitly records when an interaction cTi is enabled and chosen (i.e., a'^ ~ True and 
enc'((Ti) ~ True). For every other interaction <Tj, the variable a'j is evaluated to False in 
BDD (i.e., either it is disabled or not visible by ai, following Algorithm |2] line 4 and 5). 

The nested computation consists of two while loops (line 4, 5): the inner while loop B.l 
computes the familiar risk attractor, and B.2 computes the set of transitions T whose source 
is outside the attractor but the destination is inside the attractor. Notice that for every source 



vertex c of a transition in T: (1) It has chosen an interaction u G E to execute, but it is 
a bad choice. (2) There exists another choice r whose destination is outside the attractor 
(otherwise, c shall be in the attractor). However, such r may not be visible by <j. Therefore, 
3S' : (TA Esc) creates those states without any visible escape, i.e., without any other visible 
and enabled interactions under the local view of the chosen interaction. These states form the 
set of new bad states newBadStates due to architectural limitations. 

A visible escape is not necessarily a "true escape" as illustrated in Figure |3] It is possible 
that for state C2, for g its visible escape is a, while for a its visible escape is g. Therefore, 
it only suggests candidates of fixing, and in these cases, a feasible fix is derived in a SAT 
resolution step (Section IV-C i. Finally, Part C of the algorithm extracts 7/ (similar to extracting 
r in B.2). 

Consider again the situation depicted in Figure |2] In Algorithm |4j after the attractor is 
computed, lines 6-8 extract the symbolic transition {state = cl) A [state' — cl) A enc'(fTi) A 
a'l A ^(T2- Then by a conjunction with Esc (from line 1 to 3) and performing quantifier 
elimination over primed variables, one recognizes that cl shall be added to newBadStates; 
the algorithm continues with the next round of nested computation. 

Algorithm |4] terminates, since the number of states that can be added to MXpost (in the 
inner-loop) and NestedAttrpo^t (in the outer-loop) is finite. The following proposition is used 
to detect the infeasibility of distributed priority synthesis problems. 

Proposition 4: Assume during the base-level execution of Algorithm [T] where asgn = 0. If 
the encoding of the initial state is contained in HesXfK^X ^nviCrisk^Cdead), then the distributed 
priority synthesis problem for S with Crisk is infeasible. 

Proof: In Algorithm [T] when the fixing process is invoked at the base level where asgn = 
0j 'Ptran = ■ Assumc after the execution of the nested-risk-attractor (Algorithm [4]i, the 
symboUc encoding of the initial state cq (which is a control state) is in NestAttre„„ (Cris/t U 
Cdead)- Then based on Algorithm |4j the encoded state of cq is added to NestAttr because 

• either all of its edges enter the previously computed NestAttr (in this case, no priority 
can help to block the entry), 

• or it has a transition which enters the previously computed NestAttr with interaction a 
but has no visible escape r, i.e., in the encoding of the transition, enc'((j) — True and 
for all r e S, T 7^ (T, we have encoding r' = False. From the encoding how r' is set 
to false, we know that for such a transition, for any fix of the form cr ^ r, it is either not 
supported by the architecture (see Algorithm |2] for encoding, line 5), or r is not enabled 
at Cq (Algorithm |2] line 4). Therefore, in the distributed execution, executing <t at cq can 
not be blocked by the use of priority. 

Overall, this leads to the entry of the previously computed NestAttr. Continuing the process 
we can conclude that Crisk U Cdead can be reached, and no priority can assist to escape from 
entering. Consider when analysis is done at the base level where Vtran — V, then there exists 
no Vd+ as a solution of the distributed priority synthesis problem. 

The number of required steps of entering is no larger than outer x inner steps, where outer 
is the number of iterations for the outer-while-loop, and inner is the maximum number of 
iterations for all inner-while-loop execution. ■ 



C. Fixing Algorithm: SAT Problem Extraction and Conflict Resolution 

The return value 7/ of Algorithm|4]contains not only the risk interactions but also all possible 
interactions which are visible and enabled (see Algorithm |2] for encoding. Proposition |2] for 
result). Consider, for example, the situation depicted in Figure bI and assume that Visjj, VisJ^, 



Vis^, ViSg, and Vis|^ are the only visibility constraints which hold True. If 7/ returns three 
transitions, one may extract fix candidates from each of these transitions in the following way. 

• On C2, a enters the nested-risk-attractor, while b, c are also visible from a; one obtains 
the candidates {a -< 6, a -< c}. 

• On C2, g enters the nested-risk-attractor, while a is also visible from g; one obtains the 
candidate {g ^ a}. 

• On cg, b enters the nested-risk-attractor, while a is also visible; one obtains the candidate 

{b^a}. 

Using these candidates, one can perform conflict resolution and generate a set of new priorities 
for preventing entry into the nested-risk-attractor region. For example, {a ^ c, g ^ a,b ^ a} 
is such a set of priorities for ensuring the safety condition. Notice also that the set {a ^ b, g ^ 
b,b ^ a} is circular, and therefore not a valid set of priorities. 

In our implementation, conflict resolution is performed using SAT solvers. Priorities ui -< a2 
are presented as a Boolean variable cti -< 0-2. If the generated SAT problem is satisfiable, for 
all variables ai -< (T2 which is evaluated to True, we add priority ai -< a2 to the resulting 
introduced priority set 'Pd+- The constraints below correspond to the ones for global priority 
synthesis framework |8|. 

1) (Priority candidates) For each edge t E Tf which enters the risk attractor using <t and 
having ai, . . . ,<7e visible escapes (excluding a), create clause (Vi=i f ^ "^OQ 

2) (Existing priorities) For each priority a < t eV, create clause ( a -< t ). 

3) (Irreflexive) For each interaction a used in (1) and (2), create clause j^ a -< <t ). 

4) (Transitivity) For any ai,(J2,<T^ used above, create a clause ((cti -< (72 A <T2 ^ era) =^ 

Clauses for architectural constraints also need to be added in the case of distributed priority 
synthesis. For example, if ai -< 172 and (T2 -< then due to transitivity we shall include 
priority di -< a^. But if Vis^J — False, then ai -< 0-3 is not supported by communication. 
In the above example, as Visjj = True, {a ^ c, g ^ a,b ^ a} is a legal set of priority fix 
satisfying the architecture (because the inferred priority 6 ^ c is supported). Therefore, we 
introduce the following constraints. 

• (Architectural Constraint) Given ai,<72 G if Vis^J = False, then ai -< 02 is 
evaluated to False. 

• (Communication Constraint) Given cri,cr2 G S, if Vis^J = False, for any interaction 
(73 e S, if Vis^j = Vis^g = True, at most one of (j\ < (T3 or 173 -< 02 is evaluated to 
True. 

A correctness argument of this fixing process can be found in the appendix. 

V. Implementation 

Our algorithm for solving the distributed priority synthesis problem has been implemented 
in Java on top of the open-source workbench VissBIFr] for graphically editing and visualizing 
systems of interacting components. The synthesis engine itself is based on the JDD package 
for binary decision diagrams, and the SAT4J propositional satisfiability solver. In addition, 
we implemented a number of extensions and optimizations (e.g.. Proposition Hh to the core 



algorithm in Section IV for lack of space details needed to be omitted. 

First, we also use the result of the unsatisfiable core during the fix process to guide the 
assignment of variables (where each represents a priority) in the DPS algorithm. E.g., if the 

'in implementation. Algorithm [4] works symbolically on HDDs and proceeds on cubes of the risk-edges (a cube 
contains a set of states having the same enabled interactions and the same risk interaction), hence it avoids enumerating 
edges state-by-state^ 



Available from |http://www.fortiss.org/formal-methods 




Figure 3. Locating fix candidates outside from tlie nested-risk-attractor. 

fix does not succeed as both a < t and t ^ a are used, the engine then introduces a < t . 
Then in the next diagnosis process, the engine can not propose a fix of the form t ^ cr (as to 
give such a fix by the engine, it requires that when r and a are enabled while r is chosen for 
execution, a is also enabled; the enableness of a contradicts a -< r). 

Second, we are over-approximating the nested risk attractor by parsimoniously adding all 
source states in 7/, as returned from Algorithm |4] to the nested-risk-attractor before recom- 
puting; thereby increasing chances of creating a new 7/ where conflicts can be resolved. 

Lastly, whenever possible the implementation tries to synthesize a local controllers with- 
out any state information. If such a diagnosis-fixing fails, the algorithm can also perform a 
model transformation of the interacting components which is equivalent to transmitting state 
information in the communication. Recall that the symmetric communication architecture in 
Figure |l] requires communicating not only of the intended next moves but also of the current 
source locations. In order to minimize the amount of state information that is required to 
communicate, we lazily extract refinement candidates from (minimal) unsatisfiable cores of 
failed runs of the propositional solver, and correspondingly refine the alphabet by including new 
state information. Alternatively, a fully refined model transformation can eagerly be computed 
in VissBIP. 

VI. Evaluation 

We validate our algorithm using a collection of benchmarking models including memory 
access problem, power allocation assurance, and working protection in industrial automation; 
some of these case studies are extracted from industrial case studies. Table HIl summarizes the 
results obtained on an Intel Machine with 3.4 GHz CPU and 8 GB RAM. Besides runtime we 
also list the algorithmic extensions and optimizations described in Section [V] 

The experiments 1.1 through 1.16 in Table [ll] refer to variations of the multiprocessor 
scheduling problem with increasing number of processors and memory banks. Depending on 
the communication architectures the engine uses refinement or extracts the UNSAT core to 
find a solution. 

Experiments 2.1 and 2.2 refer to a multi-robot scenario with possible moves in a predefined 
arena, and the goal is to avoid collision by staying within a predefined protection cap. The 
communication architecture is restricted in that the i-th robot can only notify the {{i + l)%n)- 
th. 

In experiments 3.1 through 3.6 we investigate the classical dining philosopher problem 
using various communication architectures. If the communication is clockwise, then the engine 



Table II 

Experimental results on distributed priority synthesis 



Index 


Testcase and communication arciiitecture 


Components 


Interactions 


Time (seconds) 


Remark 


I.I 


4 CPUs witli broadcast A 


8 


24 


0.17 


X 


1.2 


4 CPUs witli local A, D 


8 


24 


0.25 


A 


1.3 


4 CPUs with local communication 


8 


24 


1.66 


R 


1.4 


6 CPUs with broadcast A 


12 


36 


1.46 


RP-2 


1.5 


6 CPUs with broadcast A, F 


12 


36 


0.26 


X 


1.6 


6 CPUs with broadcast A, D, F 


12 


36 


1.50 


A 


1.7 


6 CPUs with local communication 


12 


36 


- 


fail 


1.8 


8 CPUs with broadcast A 


16 


48 


8.05 


RP-2 


1.9 


8 CPUs with broadcast A, H 


16 


48 


1.30 


X 


1. 10 


8 CPUs with broadcast A, D. H 


16 


48 


1.80 




1. 11 


8 CPUs with broadcast A, B, G, H 


16 


48 


3.88 


RP-2 


1. 12 


8 CPUs with local communication 


16 


48 


42.80 


R 


1. 13 


10 CPUs with broadcast A 


20 


60 


135.03 


RP-2 


1. 14 


10 CPUs with broadcast A, J 


20 


60 


47.89 


RP-2 


1. 15 


10 CPUs with broadcast A, E, F, J 


20 


60 


57.85 


RP-2 


1. 16 


10 CPUs with local communication A. B, E. F, I, J 


20 


60 


70.87 


RP-2 


2.1 


4 Robots with 12 locations 


4 


16 


11.86 


RP-I 


2.2 


6 Robots with 12 locations 


6 


24 


71.50 


RP-I 


3.1 


Dining Philosopher 10 (no communication) 


20 


30 


0.25 


imp 


3.2 


Dining Philosopher 10 (clockwise next) 


20 


30 


0.27 


imp 


3.3 


Dining Philosopher 10 (counter-clockwise next) 


20 


30 


0.18 


X (nor: 0.16) 


3.4 


Dining Philosopher 20 (counter-clockwise next) 


40 


60 


0.85 


x,g (nor: 0.55) 


3.5 


Dining Philosopher 30 (counter-clockwise next) 


60 


90 


4.81 


x,g (nor: 2.75) 


4 


DPU module (local communication) 


4 


27 


0.42 


X 


5 


Antenna module (local communication) 


20 


64 


17.21 


RP-I 



^ Satisfiable by direct fixing (without assigning any priorities) 
^ Nested-risk-attractor over-approximation 
^ State-based priority refinement 

^^'^ Using UNSAT core: start with smallest amount of newly introduced prioiities 

Using UNSAT core: start with a subset of local non-conflicting priorities extracted from the UNSAT core 
Fail to synthesize priorities (time out > 150 seconds using RP-1) 
'"^^ Impossible to synthesize priorities from diagnosis at base-level (using Proposition 4) 
^ Initial variable ordering provided (the ordering is based on breaking the circular order to linear order) 
""^ Priority synthesis without considering architectural constraints (engine in [8]) 



fails to synthesize prioritie^ If the communication is counter-clockwise (i.e., a philosopher 
can notify its intention to his right philosopher), then the engine is also able to synthesize 
distributed priorities (for n philosophers, n rules suffice). Compared to our previous priority 
synthesis technique, as in distributed priority synthesis we need to separate visibility and 
enabled interactions, the required time for synthesis is longer 

Experiment 4 is based on a case study for increasing the reliability of data processing units 
(DPUs) by using multiple data sampling. The mismatch between the calculated results from 
different devices may yield deadlocks. The deadlocks can be avoided with the synthesized 
priorities from VissBIP without modifying local behaviors. 

Finally, in experiment 5, we are synthesizing a decentralized controller for the Dala robot |3], 
which is composed of 20 different components. A hand-coded version of the control indeed 
did not rule out deadlocks. Without any further communication constraints between the com- 
ponents, VissBIP locates the deadlocks and synthesizes additional priorities to avoid them. 

VII. Related Work 

Distributed controller synthesis is undecidable |T9^| even for reachability or simple safety 
conditions |13|. A number of decidable subproblems have been proposed either by restricting 

'Precisely, in our model, we allow each philosopher to pass his intention over his left fork to the philosopher of 
his left. The engine uses Proposition 4 and diagnoses that it is impossible to synthesize priorities, as the initial state 
is within the nested-risk-attractor. 



the communication structures between components, such as pipeUned, or by restricting the 
set of properties under consideration [17 1, [161, [181 , [ 1 U ; these restrictions usually limit 
applicability to a wide range of problems. Schewe and Finkbiner's ll20l bounded synthesis 
work on LTL specifications: when using automata-based methods, it requires that each process 
shall obtain the same information from the environment. The method is extended to encode 
locality constraints to work on arbitrary structures. Distributed priority synthesis, on one hand, 
its starting problem is a given distributed system, together with an additional safety requirement 
to ensure. On the other hand, it is also flexible enough to specify different communication 
architectures between the controllers such as master-slave in the multiprocessor scheduling 
example. To perform distributed execution, we have also explicitly indicate how such a strategy 
can be executed on concrete platforms. 

Starting with an arbitrary controller Katz, Peled and Schewe ifTSl , lfT4l propose a knowledge- 
based approach for obtaining a decentralized controller by reducing the number of required 
communication between components. This approach assumes a fully connected communication 
structure, and the approach fails if the starting controller is inherently non-deploy able. 

Bonakdarpour, Kulkarni and Lin (F\ propose methods for adding for fault-recoveries for BIP 
components. The algorithms in |5|, |6| are orthogonal in that they add additional behavior, for 
example new transitions, for individual components instead of determinizing possible interac- 
tions among components as in distributed priority synthesis. However, distributed synthesis as 
described by Bonakdarpour et al. UJ on distributed synthesis is restricted to local processes 
without joint interactions between components. 

Lately, the problem of deploying priorities on a given architecture has gained increased 
recognition [ID, 12; the advantage of priority synthesis is that the set of synthesized priorities 
is always known to be deployable. 

VIII. Conclusion 

We have presented a solution to the distributed priority synthesis problem for synthesizing 
deployable local controllers by extending our previous algorithm for synthesizing stateless win- 
ning strategies in safety games jlD, |[8|. We investigated several algorithmic optimizations and 
validated the algorithm on a wide range of synthesis problems from multiprocessor scheduling 
to modular robotics. Although these initial experimental results are indeed encouraging, they 
also suggest a number of further refinements and extensions. 

The model of interacting components can be extended to include a rich set of data types 
by either using Boolean abstraction in a preprocessing phase or by using satisfiability modulo 
theory (SMT) solvers instead of a propositional satisfiability engine; in this way, one might also 
synthesize distributed controllers for real-time systems. Another extension is to to explicitly 
add the faulty or adaptive behavior by means of demonic non-determinism. 

Distributed priority synthesis might not always return the most useful controller For example, 
for the Dala robot, the synthesized controllers effectively shut down the antenna to obtain a 
deadlock-free system. Therefore, for many real-life applications we are interested in obtaining 
optimal, for example wrt. energy consumption, or Pareto-optimal controls. 

Finally, the priority synthesis problem as presented here needs to be extended to achieve 
goal-oriented orchestration of interacting components. Given a set of goals in a rich temporal 
logic and a set of interacting components, the orchestration problem is to synthesize a controller 
such that the resulting assembly of interacting components exhibits goal-directed behavior. One 
possible way forward is to construct bounded reachability games from safety games. 

Our vision for the future of programming is that, instead of painstakingly engineering 
sequences of program instructions as in the prevailing Turing tarpit, designers rigorously 



state their intentions and goals, and the orchestration techniques based on distributed priority 
synthesis construct corresponding goal-oriented assemblies of interacting components [21] , 
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Appendix 

A. Proofs for Theorem 1 

Proof: We use variable a -< r such that a < t = True means that priority ct -< r is 
included in P U 'Pd+- We have |Sp of such variables, and denote the set of all variables be 

• (NP-hardness) We have previously proven (in |10|) that in a single player game, where 
Env is restricted to deterministic updates, finding a solution to the priority synthesis 
problem is NP-complete in the size |Q| + \5\ + (done by a reduction from 3SAT to 
priority synthesis). For the hardness of distributed priority synthesis, the reduction seems 
to be an immediate result, as priority synthesis can be viewed as a case of distributed 
priority synthesis under a fully connected communication architecture. Nevertheless, as 
Com appears in distributed priority synthesis and does not appear in normal priority 
synthesis, we also need to consider time used to construct the fully connected architecture, 
which is of size |Cp. Notice that |C| is not a parameter which appears in the earlier 
result. This is the reason why we need special care to constrain |Cp to be bounded by 

+ + With such constraint, as (1) the construction of fully connected architecture 
is in time polynomially bounded by \Q\ + \6\ + and (2) the system is the same, we 
obtain a polynomial time reduction. 

[Formal reduction] For the reduction from priority synthesis (environment deterministic 
case) to distributed priority synthesis, given S, we construct the fully connected architec- 
ture Com. As |Com| — |Cp, based on the assumption where |Cp < \Q\ + \S\ + the 
time required for the construction is polynomially bounded by |Q| + \5\ + |E|. 

• (=>) Assume is the set of priorities from priority synthesis such that {C,Yi,V U 
V+) is safe. Then for the translated problem (distributed priority synthesis with fully 
connected architecture), all priorities in V+ are deployable, so V+ is also a solution 
for the translated problem. 

• (<^=) The converse is also true. 

• (NP) Nondeterministically select a subset of Vs and assign them to True(for others set to 
False), and such a subset defines a set of priorities. We need to check the corresponding 
priorities satisfies three conditions of distributed priority synthesis (Definition 5). 

• The first condition can be checked by computing the transitive closure and is in time 
cubic to iSp. 

• The second condition can be checked by using a forward reachability analysis (from 
initial configuration) to compute the set of reachable states, and during computation, 
check if any bad state is reached. During the reachability analysis, every time we try to 
add a cr-successor c' from a configuration c, we check if there exists a priority a < a' 
where a ^ t is evaluated to True and r is also enabled, such that t blocks the adding 
of c' to reachable set. The overall time for the analysis is linear to |Q||(5||Sp. 

• For the last condition, we check if a <t = True, for all Ci where t e and Cj 
where cr e Sj, Cj Ci G Com. 

• Each checking involves at most \C\ x |C| pairs. There are at most |Sp variables 
that need to be checked. 

• Each pair is checked in time linear to |Com|, where |Com| is bounded by |Cp. 

• Therefore, the total required time for checking is bounded by C'(|C|'*|Sp). 

• As |Cp < |(5| + |(5| + |S|, the total required time for checking is polynomially 
bounded by \Q\ + \5\ + 

• In addition, we also check if the selected set contains V, which is done in time 
polynomially bounded by 



B. Soundness of the SAT Resolution in the Fixing Process 

Concerning correctness of the whole fixing algorithm, the key issue is whether it is possible 
for the SAT resolution to create a set of priorities which is unable to block the entry to the 
nested-risk-attractor (if it is unable to do so, then the algorithm is incorrect). Although our 
algorithm is performed symbolically, it is appropriate to consider each location separately (as 
if there is no symbolic execution). 

For a control location s where s is within the source of 7/ returned from Algorithm [4] 
(recall in Section [lV-B| we call s an error point), we denote the set of its outgoing transitions 
as Tg. Recall that for each transition in Tg, it represents a unique selection (execution) of an 
interaction. We use Eg C S to represent the set of corresponding interactions in Tg. can be 
partitioned to Es.bad and 'Ss.good, where J^s,bad interactions which enter the nested-risk- 
attractor, and T^s,good are interactions which keep out from the nested-risk-attractor. Notice that 
the size of 'Ss,good is at least 1 (otherwise, s shall be added to the nested-risk-attractor by the 
inner while-loop of Algorithm [4]). 

We now prove that: If the SAT solver returns a solution (it is also possible to return 
unsatisfiable, but then we just report no fix-solution is generated and continue the DPS 
algorithm), then for all error point s, each a S 'Sgfiad^ there exists t e ^s,good such that 
(T ^ T is in the synthesized priority set (Then at s, as t is enabled, a is guaranteed to be 
blocked). 

Proof: The proof proceeds as follows. 

1) (Guaranteed by Algorithm |4] line 9) As s is not inside the nested-risk-attractor, Vcr S 
Es.bad, ^Eg. C Eg \ {a} such that Vr e E^jVis^ = True. Therefore, each bad 
interaction will have at least one fix candidate. 

2) (Definition of staying outside nested-risk-attractor) lE^ goodl > 1- Therefore, at least one 
edge is a true escape, whose destination is outside the nested-risk-attractor. 

3) (Assume contradiction) Assume that when SAT solver claims satisfiable, but from the 
return information, exists a S 'S,s i,ad where no priority a ^ t, where r € ^s,good- 

4) (Consequence) From 1 and 3, then exists abadi & ^s,bad^ where SAT solver returns 
priority a ^ crtadi- 

5) (Violation: Case 1) From 1, then (Jbadi also has a fix candidate. If the SAT solver returns 
Cbadi -< o'good, whcrc (Jgood G ^s.good, then duc to transitivity (SAT clause Type 4), then 
c o'good shall be returned by the SAT solver. Contradiction. 

6) (Violation: Case 2) Otherwise, SAT solver only returns (Jbadi -< crbad2, where ai,ad2 G 
'^sMd- From this, the chain a -< abadi -< <^bad2 ■ ■ ■ which consists only T^tad continues. 
However, this priority chain will either stop by having an element in Egood (then it jumps 
to Case 1 violation), or it move to cases where a repeated element (which occurred 
previously in the chain) eventually reappears. Notice that if the chain does not jump 
an interaction cr' e ^s.good^ eventually it has to use a bad interaction repeatedly, as the 
chain a -< abadi -< <^bad2 ■ ■ ■ can have at most jE^.tadl symbols (because every 
element in Eg tod needs to be fixed, based on 1), but for that case, there are |Es.had| + 1 
elements in the chain, so Pigeonhole's principle ensures the repeating of a bad interaction 
c^bad.r- When it reappears, then there is an immediate violation over SAT clause Type 3 
(irreflexive), as transitivity brings the form (ibad.r -< <^bad.r^ which is impossible. 

7) Therefore, the assumption does not hold, which finishes the correctness proof. 



